Wednesday, July 21, 2021

soc analyst interview question

  •  1. Explain risk, vulnerability and threat?

Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an attacker who exploits that weakness. Risk is the measure of potential loss when that the vulnerability is exploited by the threat


2. What is the difference between Asymmetric and Symmetric encryption and which one is better?

Symmetric encryption uses the same key for both encryption and decryption, while Asymmetric encryption uses different keys for encryption and decryption.

Symmetric is usually much faster but the key needs to be transferred over an unencrypted channel. Asymmetric on the other hand is more secure but slow. 

Hence, a hybrid approach should be preferred. Setting up a  channel using asymmetric encryption and then sending the data using a symmetric process.


4. What is XSS, how will you mitigate it?

Cross site scripting is a JavaScript vulnerability in web applications.

when a user enters a script in the client-side input fields and that input gets processed without getting validated. 

This leads to untrusted data getting saved and executed on the client-side. Countermeasures of XSS are input validation, implementing a CSP (Content security policy)


5. What is the difference between encryption and hashing?

Encryption is reversible whereas hashing is irreversible. Hashing can be cracked using rainbow tables and collision attacks but is not reversible.

Encryption ensures confidentiality whereas hashing ensures Integrity.


7. What is CSRF?

Cross-Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly


13. CIA triangle?

Confidentiality: Keeping the information secret.

Integrity: Keeping the information unaltered.

Availability: Information is available to the authorised parties at all times.


14. HIDS vs NIDS and which one is better and why?

HIDS is a host intrusion detection system and NIDS is a network intrusion detection system. Both the systems work on similar lines. It’s just that the placement is different. HIDS is placed on each host whereas NIDS is placed in the network. For an enterprise, NIDS is preferred as HIDS is difficult to manage, plus it consumes the processing power of the host as well.


20. Various response codes from a web application?

1xx – Informational responses

2xx – Success

3xx – Redirection

4xx – Client-side error

5xx – Server side error



30. What is a false positive and false negative in case of IDS?

When the device generated an alert for an intrusion that has actually not happened: this is a false positive and if the device has not generated any alert and the intrusion has actually happened, this is the case of a false negative.


 

https://www.siemxpert.com/blog/soc-analyst-interview-question/


  • Question 4: What is the three-way handshake?

Three-way handshake mechanism: In this mechanism, the client sends an SYN TCP packet to the server asking for a connection (synchronizing) request and a sequence number. The server responds with the SYN/ACK packet, acknowledging the connection request and assigning a sequence number. The client again sends an ACK packet to accept the response of the server.


Question 6: What is data leakage? Explain in your own words.

Answer: Data leakage refers to the exposure or transmission of an organization’s sensitive data to the external recipient. The data may be transmitted or exposed via the internet or by physical means.


Question 7: List the steps to develop the Data Loss Prevention (DLP) strategy?

Answer: The steps to develop and implement a DLP strategy are as follows:

Step1: prioritizing the critical data assets

Step2: categorizing the data based on its source

Step3: analyzing which data is more prone to the risks

Step4: monitor the transmission of the data

Step5: developing control measures to mitigate the data leakage risk


Question 8: What is the difference between TCP and UDP?


TCP(Transfer Layer Protocol)

TCP is reliable as it guarantees the delivery of data packets to the destination.

TCP is heavyweight.

TCP is slower as compared to UDP

Example: HTTP, SSH, HTTPS, SMTP


UDP(User Datagram Protocol)

UDP is not reliable as it does not guarantees the delivery of data packets to the destination

UDP is lightweight.

UDP IS faster than TCP

Example: TFTP, VoIP, online multiplayer gamess


Question 9: What is the difference between firewall deny and drop?

Answer: DENY RULE: If the firewall is set to deny rule, it will block the connection and send a reset packet back to the requester. The requester will know that the firewall is deployed.

DROP RULE: If the firewall is set to drop rule, it will block the connection request without notifying the requester.

It is best to set the firewall to deny the outgoing traffic and drop the incoming traffic so that attacker will not know whether the firewall is deployed or not.


Question 11: What is the Runbook in SOC?

A runbook, also known as a standard operating procedure (SOP), consists of a set of guidelines to handle security incidents and alerts in the Security Operation Centre. The L1 security analyst generally uses it for better assessment and documentation of the security events.


Question 12: What is the difference between the Red Team and the Blue Team?

Red Team: The red team plays an offensive role. The team conducts rigorous exercises to penetrate the security infrastructure and identify the exploitable vulnerabilities in it. The red team is generally hired by the organization to test the defenses.

Blue Team: The blue team plays a defensive role. The blue team’s role is to defend the organization’s security infrastructure by detecting the intrusion. The members of a blue team are internal security professionals of the organization.


Question 13: Define a Phishing attack and how to prevent it?

Answer: Phishing is a type of social engineering attack in which an attacker obtains sensitive information from the target by creating urgency, using threats, impersonation, and incentives. Spear phishing, e-mail spam, session hijacking, smishing, and vishing are types of phishing attacks.


Question 14: What is the Cross-Site Scripting (XSS) attack, and how to prevent it?

Answer: Cross-site Scripting: In the cross-site scripting attack, the attacker executes the malicious scripts on a web page and can steal the user’s sensitive information. With XSS vulnerability, the attacker can inject Trojan, read out user information, and perform specific actions such as the website’s defacement.


Countermeasures:

    Encoding the output

    Applying filters at the point where input is received

    Using appropriate response headers

    Enabling content security policy

    Escaping untrusted characters



Question 15: Explain the SQL injection vulnerability and give countermeasures to prevent it?

Answer: SQL Injection: SQL injection is a famous vulnerability in the web application that allows hackers to interfere in communication taking place between a web application and its database. Hackers inject malicious input into the SQL statement to compromise the SQL database. They can retrieve, alter, or modify the data. In some cases, it allows attackers to perform DDOS attacks.


Countermeasures:

    Using parameterized queries

    Validating the inputs

    Creating stored procedures

    Deploying a web application firewall

    Escaping untrusted characters


Question 16: Difference between hashing and Encryption?


Hashing

Conversion of data into a fixed-length of unreadable strings using algorithms

Hashed data can not be reverted back into readable strings

The length of the hashed string is fixed

No keys are used in hashing


Encryption

Conversion of data into an unreadable string using cryptographic keys

strings Encrypted data can be decrypted back into readable strings

The length of the encrypted string is not fixed

Keys are used in Encryption


Question 18: What is the difference between SIEM and IDS?

Both collect the log data, but unlike SIEM, IDS does not facilitate event correlation and centralization of log data.


Question 20: What is DNS? Why is DNS monitoring essential?

DNS monitoring can disclose information such as websites visited by the employee, malicious domain accessed by an end-user, malware connecting to Command & Control server. It can help in identifying and thwarting cyberattacks.


https://www.infosectrain.com/blog/20-most-common-soc-analyst-interview-questions-and-answers/ 


  • How does a Web Application Firewall work?
A WAF examines and filters traffic to web applications. It keeps track of communication between the client and server, and server and server
A WAF protects against some of the most common cyber attacks, including SQL injections, cross-site scripting and (D)DoS attacks
When you first define communication and access, you let the WAF monitor traffic for a period of time so that it can learn what legitimate traffic looks like. It then creates a default mode and the WAF can then keep track of unusual traffic patterns

What are the differences between Web Application Firewalls and traditional firewalls?
Application firewalls are on a higher level in the OSI model compared to traditional firewalls.
If a new type of hacker attack is discovered you can update the WAF software with the attack signature, which enables it to learn the patterns of that traffic and block it. 

What are the benefits of using a WAF?
Many agree that it is better to protect the application itself than the server itself. This allows for a deeper level of detail compared to traditional firewalls, thus giving a more ‘fine tune’ protection. A Web Application Firewall prevents data loss, data corruption and spoofing.

https://complior.se/questions-and-answers-about-waf/
There are several types of firewalls but the most common one is the hardware network firewall. 
Basic firewalls work at Layer 3 and Layer 4 of the OSI model

a network firewall is stateful. This means that the firewall keeps track of the states of connections that pass through it.
For example, if an internal host successfully accesses an Internet website through the firewall, the latter will keep the connection inside its connection table so that reply packets from the external web server will be allowed to pass to the internal host because they already belong to an established connection.

Next-Generation Firewalls work all the way up to Layer 7 of the OSI models which means they are able to inspect and control traffic at the application level.

That's why the IPS is connected in line to the packet flow. As shown from the network topology above (Firewall with IPS), the IPS device is usually connected behind the firewall but in-line the communication path which transmits packets to/from the internal network.

Usually, an IPS is signature-based which means that it has a database of known malicious traffic, attacks, and exploits and if it sees packets matching a signature then it blocks the traffic flow.
an IPS can work with statistical anomaly detection, rules set by the administrator, etc.

An IDS (Intrusion Detection System) is the predecessor of IPS and is passive in nature. As shown from the network above (Firewall with IDS), this device is not inserted in-line with the traffic but rather it is in parallel (placed out-of-band).

Traffic passing through the switch is also sent at the same time to the IDS for inspection. If a security anomaly is detected in the network traffic, the IDS will just raise an alarm (to the administrator) but it will not be able to block the traffic
Similar to IPS, the IDS device also uses mostly signatures of known security attacks and exploits in order to detect an intrusion attempt.
In order to send traffic to the IDS, the switch device must have a SPAN port configured in order to copy traffic and send it towards the IDS node.

For example, an IDS can send a command to the firewall in order to block specific packets if the IDS detects an attack.

Since most websites nowadays use SSL (HTTPS), the WAF is able also to provide SSL acceleration and also SSL inspection by terminating the SSL session and inspect the traffic inside the connection on the WAF itself.
As shown from the network above (Firewall with WAF), it is placed in front of a Website (usually) in a DMZ zone of a firewall.

https://forum.huawei.com/enterprise/en/comparison-and-differences-between-ips-vs-ids-vs-firewall-vs-waf/thread/763619-867

. Which of these protocols is a connection-oriented protocol? The Correct Answer is:- D

  • A) FTP
  • B) UDP
  • C) POP3
  • D) TCP 

What port range is an obscure third-party application most likely to use? The Correct Answer is:- D

  • A) 1 to 1024
  • B) 1025 to 32767
  • C) 32768 to 49151
  • D) 49152 to 65535 

 Which category of firewall filters is based on packet header data only? The Correct Answer is:- C

  • A) Stateful
  • B) Application
  • C) Packet
  • D) Proxy 

At which layer of the OSI model does a proxy operate? The Correct Answer is:- D

  • A) Physical
  • B) Network
  • C) Data Link
  • D) Application 

Which technology allows the use of a single public address to support many internal clients while also preventing exposure of internal IP addresses to the outside world? The Correct Answer is:- D

  • A) VPN
  • B) Tunneling
  • C) NTP
  • D) NAT 

 What item is also referred to as a logical address to a computer system? The Correct Answer is:- A

  • A) IP address
  • B) IPX address
  • C) MAC address
  • D) SMAC address 

Which of the following is commonly used to create thumbprints for digital certificates? The Correct Answer is:- A

  • A) MD5
  • B) MD7
  • C) SHA12
  • D) SHA8 

Which of the following creates a fixed-length output from a variable-length input? The Correct Answer is:- A

  • A) MD5
  • B) MD7
  • C) SHA12
  • D) SHA8 

What encryption process uses one piece of information as a carrier for another? The Correct Answer is:- A

  • A) Steganography
  • B) Hashing
  • C) MDA
  • D) Cryptointelligence 

Which of the following is a major security problem with FTP? The Correct Answer is:- C

  • A) Password files are stored in an unsecure area on disk.
  • B) Memory traces can corrupt file access.
  • C) User IDs and passwords are unencrypted.
  • D) FTP sites are unregistered. 

What type of program exists primarily to propagate and spread itself to other systems and can do so without interaction from users? The Correct Answer is:- D

  • A) Virus
  • B) Trojan horse
  • C) Logic bomb
  • D) Worm  

Which mechanism is used by PKI to allow immediate verification of a certificate’s validity? D) OCSP

  • A) CRL
  • B) MD5
  • C) SSHA
  • D) OCSP  

Which statement(s) defines malware most accurately? The Correct Answer is:- B,C

  • A) Malware is a form of virus.
  • B) Trojans are malware.
  • C) Malware covers all malicious software.
  • D) Malware only covers spyware. 

 Which is/are a characteristic of a virus? Which is/are a characteristic of a virus?

  • A) A virus is malware.
  • B) A virus replicates on its own.
  • C) A virus replicates with user interaction.
  • D) A virus is an item that runs silently.

A polymorphic virus __________. The Correct Answer is:- C

  • A) Evades detection through backdoors
  • B) Evades detection through heuristics
  • C) Evades detection through rewriting itself
  • D) Evades detection through luck 

A sparse infector virus __________. The Correct Answer is:- C

  • A) Creates backdoors
  • B) Infects data and executables
  • C) Infects files selectively
  • D) Rewrites itself 
how to protect data layer at Layer 2 OSI?
encryption
what security controls can you implement at layer 7 OSI?
wef,proxies,content delivery network-cdn
what protocols are used at transport layer OSI?
tcp udp 
SNMP is a layer 7 (Application )protocol
ICMP is a layer 3 protocol (Network)


No comments:

Post a Comment